Google’s free Assured Open Source Software (AOSS) service was launched in beta in 2020 and it recently hit general availability (GA) in March 2023. The AOSS service is designed to help open-source projects maintain the security and quality of their code by providing free security assessments, vulnerability scans, and code analysis.
Google’s Assured Open Source Software (Assured OSS) service assists developers in defending against supply chain security attacks by scanning and analyzing some of the world’s most popular software libraries for vulnerabilities on a regular basis. Today, Google is making Assured OSS available to the public, with support for over a thousand Java and Python packages. While Google did not initially disclose pricing when the service was announced, the company has now revealed that it will be free.
Third-party libraries (often maintained by a single developer) have long been used in software development, but it wasn’t until the industry was hit with a number of high-profile exploits that everyone (including the White House) woke up and started taking software supply chain security seriously. You can’t go to an open source conference these days without hearing about Software Bills of Materials (SBOMs), artifact registries, and other related topics. It’s no surprise that Google, which has long been at the forefront of open-source product development, has launched a service like Assured OSS.
Also, read: South Korea fines Google $32 million for preventing developers from releasing games on a rival’s platform
Google promises to keep these libraries up to date (without creating forks), scan for known vulnerabilities, perform fuzz tests to discover new ones, fix these issues, and contribute these fixes back upstream. The company claims that when it first launched the service with about 250 Java libraries, it was responsible for discovering 48% of the new CVEs and addressing them.
“As organizations increasingly utilize OSS for faster development cycles, they need trusted sources of secure open source packages,” said Melinda Marks, senior analyst, ESG. “Without proper vetting and verification or metadata to help track OSS access and usage, organizations risk exposure to potential security vulnerabilities and other risks in their software supply chain. By partnering with a trusted supplier, organizations can mitigate these risks and ensure the integrity of their software supply chain to better protect their business applications.”
The AOSS service is available to open source projects that meet certain eligibility criteria, such as having a publicly accessible code repository, being licensed under an OSI-approved license, and having an active community of contributors. The service is designed to be scalable, so it can accommodate projects of all sizes, from small independent projects to large, established open source projects.
